๐ [Bug]: CORS Middleware, URL-protocol check too strict
aaronz-vipaso opened this issue ยท 3 comments
Bug Description
When I try to start my fiber application, which has a CORS origin configured with a protocol other than http
or https
, the application panics.
Specifically, KaiOS devices need to have a CORS origin configured with the protocol: app://
Lines 49 to 52 in c86c3c0
fiber/middleware/cors/utils.go
Lines 34 to 43 in c86c3c0
How to Reproduce
Steps to reproduce the behavior:
- Configure the origin
app://example.com
in the CORS middleware - Start fiber
- -> App panics
Expected Behavior
Do not panic, but allow origins with any protocol.
Fiber Version
v2.52.5
Code Snippet (optional)
package main
import (
"github.com/gofiber/fiber/v2"
"github.com/gofiber/fiber/v2/middleware/cors"
)
func main() {
app := fiber.New()
app.Use(cors.New(cors.Config{
AllowOrigins: "https://example.com, app://example.com",
}))
app.Get("/", func(c *fiber.Ctx) error {
return c.SendString("Hello, World!")
})
app.Listen(":3000")
}
Checklist:
- I agree to follow Fiber's Code of Conduct.
- I have checked for existing issues that describe my problem prior to opening this one.
- I understand that improperly formatted bug reports may be closed without explanation.
Thanks for opening your first issue here! ๐ Be sure to follow the issue template! If you need help or want to chat with us, join us on Discord https://gofiber.io/discord
I have to check the RFC to see which protocol schemes are allowed
@gaby
The RFC of the Origin
header (RFC 6454: The Web Origin Concept) does not restrict the protocol (scheme).
The CORS protocol, in general, is not defined in an RFC but in the W3C recommendation titled "Fetch standard" under 3.2. This one also doesn't restrict the protocol.